Description:

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. IAM provides the infrastructure necessary to control authentication and authorization for your account.

Rationale:

Requiring the additional steps be taken by the user for programmatic access after their profile has been created will give a stronger indication of intent that access keys are necessary for their work and that once the access key is established on an account, the keys may be in use somewhere in the organization.

Impact:

Reduces unnecessary access to the console.

Default Value:

AWS console defaults to no check boxes selected when creating a new IAM user. When creating the IAM user credentials, you have to determine what type of access they require.

Pre-Requisite:

IAM User

Remediation:

Test Plan:

  • AWS Console Process

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the left navigation pane select users.

  3. Click on a User where column Password age and Active key age is not set to None  

  4. Click on Security credentials Tab.
  5. Compare the user 'Creation time to the Access Key Created` date. 

  6.  For any that match, the key was created during initial user setup.


Using AWS CLI

  • Run the following command (OSX/Linux/UNIX) to generate a list of all IAM users along with their access keys utilization:


    aws iam generate-credential-report 

    aws iam get-credential-report --query 'Content' --output text | base64 -d |

    cut -d, -f1,4,9,11,14,16

    The output of this command will produce a table similar to the following:  

    user,password_enabled,access_key_1_active,access_key_1_last_used_date,access_ key_2_active,access_key_2_last_used_date 

    elise,false,true,2015-04-16T15:14:00+00:00,false,N/A

    brandon,true,true,N/A,false,N/A

    rakesh,false,false,N/A,false,N/A

    helene,false,true,2015-11-18T17:47:00+00:00,false,N/A

    paras,true,true,2016-08-28T12:04:00+00:00,true,2016-03-04T10:11:00+00:00

    anitha,true,true,2016-06-08T11:43:00+00:00,true,N/A

    Implementation Plan

    • AWS Console Process

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the left navigation pane select users.

    3. Click on desired user.

    4. Click security credentials

    5. Click on the X (Delete) for keys that were created at the same time as the user profile but have not been used.  


    • Using AWS CLI

    The following delete-access-key command deletes the specified access key (access key ID and secret access key) for the IAM user 


    aws iam delete-access-key --access-key-id <access-key-id-listed> --user-name <users-name>


    Backout Plan:

    • AWS Console Process

    1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

    2. In the left navigation pane select users.

    3. Click on desired user.

    4. Click security credentials

    5. Scroll down in Access keys Click on create access key.  


    Using AWS CLI

    The following create-access-key command creates an access key (access key ID and secret access key) for the IAM user.

    aws iam create-access-key --user-name <users-name>